Skip to main content

Announcing the Sigstore Transparency Log Research Dataset

By October 15, 2025Blog, Guest Blog
SigstoreBlogNew

Cross-post originally published on the sigstore Blog

By Hayden Blauzvern & Eve Martin-Jones, Google Open Source Security Team

We’re pleased to announce the creation of a new BigQuery public dataset, rekor. The rekor dataset is an easily-queryable mirror of the public good instance of Sigstore’s transparency log, Rekor.

As a reminder, signing events are recorded in Rekor, Sigstore’s append-only transparency log. Software consumers rely on cryptographic proofs of log inclusion to verify that software artifacts are recorded to the log. Software producers can verify metadata in the log, verifying that the recorded signature metadata was produced as expected when their identities or keys were used to sign artifacts, using a Rekor monitor. While software producers should monitor the log directly, researchers had to run similar monitoring tooling to ingest all entries, which added complexity and cost for research.

This dataset will allow open source supply chain researchers and other interested parties to gather aggregate data on how artifacts are being signed with Sigstore, answering questions like ā€œwhat is the most common CI provider used to sign artifacts?ā€ or ā€œhow many artifacts are signed each month?ā€.

Sample queries can be found at the BigQuery marketplace listing.

If you have any questions or feedback, please contact us at rekor-dataset@google.com.

Watch the talk from OpenSSF Community Day North America.

About the Authors

Hayden BlauzvernHayden Blauzvern is a technical lead manager on Google’s Open Source Security Team, focused on making open-source software more secure through code signing and binary transparency. Hayden is a maintainer and the community chair on the Sigstore project.

 

Eve Martin-JonesEve Martin-Jones is an engineer working on open source software security at Google. She lives in Australia, with her cat Mochi, who is surprisingly proficient at JavaScript. Between D&D campaigns, she can be found deciphering the Cargo dependency-resolution algorithm bug-for-bug, advocating for women in tech, and furthering adoption of open source standards like SLSA.